Workplace hit by cryptolocker virus

[dowie]

Makes you wonder what changes will need to happen to curb these things. I know running browsers in a sandboxed environment is starting to take off but is a sandbox 100% secure?

Plus where do you think they are coming from, the ransom amount seems too small for it to have originated in the west. Then again maybe its just cheap enough for people to consider paying


This thread has prompted me to updated my offline backups though so thanks for that

probably a bunch of Russians spamming thousands of people at a time with no idea whether the targets are individuals or businesses

 

[Mynight]

We're planning to get hit by this soon. My manager wants to empower our users by given them admin rights to install what they want and unrestricted Internet access because something called ITIL told him this would make him popular. I assume ITIL is some sort of reference to bending over and fisting yourself in the anus but haven't Googled it to find out.

Pretty sure ITIL make cryptolocker .

I was also wondering about sand boxing. Must be a reason it isn't implimented more widely. Even if it was there's always going to be people finding new ways to break it.

 

[Rroff]

Plus where do you think they are coming from, the ransom amount seems too small for it to have originated in the west. Then again maybe its just cheap enough for people to consider paying

Probably a mixture of the fact it is just enough for people to consider paying and mixed with hitting 1000s of people means some percentage will pay.

Makes you wonder what changes will need to happen to curb these things. I know running browsers in a sandboxed environment is starting to take off but is a sandbox 100% secure?

Sandboxing and/or some type of virtualised setup is largely effective at isolating the local machine directly - but the sophistication of some of these mean you'd also need to isolate their network access from being able to see anything critical on the local network to be sure. While it is still in its infancy they are starting to make far more use of additional attack vectors though largely its a crude cocktail of other exploits packaged up to try and get the infection as far as possible.

 

[SexyGreyFox]

I reckon I open at least 20 PDF's a day from external sources at work.
I could get caught out very easily if someone knew what I did and aimed a well worded email.
Or should our Trust IT pick this stuff up?

 

[Azza]

We got hit by one about a year or so a go. User had received an email posing to be from the Royal Mail, clicked the link, downloaded a PDF to get some info and something and then it started doing its thing. Luckily it didn't seem to be a complex one as it only went through the shared files he had access to and didn't spread across the shared drives as a whole. Still a lot of data, but it hadn't got the backups either so it just took a while to get stuff back.

Our users are not the brightest though, couple of weeks a go one of them (the 2nd from top I might add) got an email from 'Apple' stating that his account was locked and it needed to be unlocked so he filled out an online form with his password and security answer questions. It then asked to verify him by inputting his credit card details and being his work account he didn't know, so he asked his PA who also didn't know, she then asked me if I could provide it.

*palm into face*


Had to very nicely tell him to reset his password and security details via the official website and even provided the link, to which his PA responded 'we've already done that from the email we got originally.'

*head into desk*

We're planning to get hit by this soon. My manager wants to empower our users by given them admin rights to install what they want and unrestricted Internet access because something called ITIL told him this would make him popular. I assume ITIL is some sort of reference to bending over and fisting yourself in the anus but haven't Googled it to find out.

Que!?!



What ITIL course did he go on?!

 

[SexyGreyFox]

Had to very nicely tell him to reset his password and security details via the official website and even provided the link, to which his PA responded 'we've already done that from the email we got originally.'

*head into desk*

Wow

 

[hanluc]

I have never worked for a company so I don't know how feasible it would be for companies to use Linux or other Unix based OS, but this surely would be a good safeguard.

 

[Pigeon_Killer]

Que!?!



What ITIL course did he go on?!

It's all the crap about reducing helpdesk calls by letting the users do what they want, when they want which appears to mean lowering security or removing it completely to keep them happy.

It's an accident waiting to happen but until it happens we're just going to spread our legs and lay out the welcome mat.

 

[Puzzled]

Probably a mixture of the fact it is just enough for people to consider paying and mixed with hitting 1000s of people means some percentage will pay.



Sandboxing and/or some type of virtualised setup is largely effective at isolating the local machine directly - but the sophistication of some of these mean you'd also need to isolate their network access from being able to see anything critical on the local network to be sure. While it is still in its infancy they are starting to make far more use of additional attack vectors though largely its a crude cocktail of other exploits packaged up to try and get the infection as far as possible.

How do cloud based email solutions stand up to this sort of thing?

Take something like the free gmail / outlook accounts where pdfs are viewed online in the cloud. Are they still able to execute code or would it need to be opened in adobe reader or by the browser pdf reader.

 

[Rroff]

The file would have to be executed locally either manually or via some kind of exploit - aslong as the file was viewed via some kind of online viewing functionality you'd be reasonably safe.

 

[Pawnless Endgame]

How do cloud based email solutions stand up to this sort of thing?

Take something like the free gmail / outlook accounts where pdfs are viewed online in the cloud. Are they still able to execute code or would it need to be opened in adobe reader or by the browser pdf reader.

I thought that the rogue files would be EXE but with a double extension like filename.PDF.EXE. Gmail won't present the PDF reader and will instead present the download button instead as per normal attachment. Then when you download it, Windows Explorer will show it as filename.PDF with the EXE bit hidden to fool the user.

 

[Caged]

How do cloud based email solutions stand up to this sort of thing?

Take something like the free gmail / outlook accounts where pdfs are viewed online in the cloud. Are they still able to execute code or would it need to be opened in adobe reader or by the browser pdf reader.

Google Apps has a really good track record - everything ends up in spam and access to the attachment is blocked unless you ignore all the warnings.

The delivery method for these now tends to be a zip archive with a .js file inside that does the deed.

 

[bitslice]

Can't see the problem here,
my old mail system split everything down, anyone not entitled to get a certain file type didn't get it. Anything remotely unusual in the email format was held back, any file not normally received from a company didn't pass either. Having a scripting back end for email systems is a joy.
I'm pretty sure it could also scan inside attached files for keywords, just in case you knew of an attack method, you could script your own filter for it.
I think at the time I was was working on something to confirm that the sender was genuine by interrogating the DNS listed mail server to confirm a genuine email, (or something like that?).
All PC's were kicked off the network at night, no point in having more points to attack that you have to.

Never faced a cryptovirus but no other virus ever got onto my network, almost zero spam too.

Something to audit excessive file writes should be possible, and flagging up a PC trying to access systems it shouldn't.

 

[LOAM]

Cryptoprevent can help stop this running by changing group policies to prevent executables running from certain OS folders. That and Eset with HIPS is what we are running, along with rotated offsite backups

 

[Sankari]

So, last wednesday evening someone (we think from the accounts dept) opened an email with a pdf in and unwittingly launched the crytolocker .coverton virus.

You can always rely on the number crunchers to do something unspeakably stupid.

 

[esoteric]

I can expect my company to get hit by this soon then. The people upstairs are so incredibly dense and our IT department is 1 bloke.

 

[SexyGreyFox]

You can always rely on the number crunchers to do something unspeakably stupid.

Why is it stupid?
Like me, if these guys are getting loads of 'Account' PDF's sent to them every day that look like 'Account' PDF's then the fault lies with IT not stopping it.

 

[Vince]

We've just recently moved from a cloud based email system, which worked well, to a m/soft exchange running on our own server and had nothing but problems with spam and attachments.

The latest is people receiving emails with .zip attachments coming from their own email addresses. ...How is that happening?

First thing to check is that your not an open smtp relay and if you are set your firewall up to stop this. The majority of mail issues will be closed by making sure that you are not a relay. After that you will find people spoofing mail headers to falsify email addresses. You can open these mail and find the properties, look for the envelope sender and normally this will give a much better idea of where the mail originated from, you can also at this point mimic what they are doing in telnet, spoof headers from outside the organisation and see how your infrastructure deals with it.

I find using a service like messagelabs (now Symantec cloud) as a gatekeeper to delivering emails gets rid of a bunch of the stuff that would normally make it's way through into exchange. On top of this I would also recommend a server side antivirus solution. We run Eset for exchange and it is actually very good at picking up the majority of sketchy emails.

This won't stop the odd email with spoofed headers but will massively thin down on the ones doing a bad job of trying to get these types of mail past your security.

 

[Rexxar]

You've demonstrated one important point though.

Always have secure offline backups.

This, Be it Hard-Disk , Solid State, Pen Drives, Or Tape , always have something physical somewhere else.

I'd be devastated if something happened to a lot of my old photo's of family that are no longer here. Let alone work-based files and data.

 

[Steve2000]

Why is it stupid?
Like me, if these guys are getting loads of 'Account' PDF's sent to them every day that look like 'Account' PDF's then the fault lies with IT not stopping it.

If it was as easy as just "stopping it" then the problem would barely exist. Stopping 100% of these emails is nigh on impossible on an enterprise level.